From: Lee Jones > Sent: 17 December 2021 13:46 > > net/sctp/diag.c for instance is built into its own separate module > (sctp_diag.ko) and requires the use of sctp_endpoint_{hold,put}() in > order to prevent a recently found use-after-free issue. > > In order to prevent data corruption of the pointer used to take a > reference on a specific endpoint, between the time of calling > sctp_endpoint_hold() and it returning, the API now returns a pointer > to the exact endpoint that was incremented. > > For example, in sctp_sock_dump(), we could have the following hunk: > > sctp_endpoint_hold(tsp->asoc->ep); > ep = tsp->asoc->ep; > sk = ep->base.sk > lock_sock(ep->base.sk); > > It is possible for this task to be swapped out immediately following > the call into sctp_endpoint_hold() that would change the address of > tsp->asoc->ep to point to a completely different endpoint. This means > a reference could be taken to the old endpoint and the new one would > be processed without a reference taken, moreover the new endpoint > could then be freed whilst still processing as a result, causing a > use-after-free. > > If we return the exact pointer that was held, we ensure this task > processes only the endpoint we have taken a reference to. The > resultant hunk now looks like this: > > ep = sctp_endpoint_hold(tsp->asoc->ep); > sk = ep->base.sk > lock_sock(sk); Isn't that just the same as doing things in the other order? ep = tsp->assoc->ep; sctp_endpoint_hold(ep); But if tsp->assoc->ep is allowed to change, can't it also change to something invalid? So I've have thought you should be holding some kind of lock that stops the data being changed before being 'allowed' to follow the pointers. In which case the current code is just a missing optimisatoion. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)